Why Load Balance Firewalls and VPN Switches?

Firewalls are the devices that we use to protect data. By configuring them to only allow certain devices or applications access to our network, we can control who, when, and how accessed is achieved.

By their very nature, firewalls are termed as stateful devices; that is, they need to be able to see the entire conversation between user and server to ensure that no rules are broken during the session flow. Therefore, traditional firewalls typically need to inspect each packet to ensure that it adheres to the policy that has been configured (or not), and then perform the necessary action associated to that particular rule. That action can be to allow, deny, or even NAT the packet. By using these features, the vulnerability of a network diminishes, but typically so does performance in to and out of that network. Firewalls, while they offer the best protection available, do impact performance. This is something that organizations and individuals have come to expect and accept, as performance is not a goal if security cannot be assured. Many firewall vendors have tried to increase performance by engineering the software, and in some cases the hardware, to better handle the statefulness of traffic and increase the throughput. Third-party manufacturers provide software that allows firewalls to be clustered and therefore share the load of a busy site. All of this is designed to try to increase performance and minimize the bottleneck that firewalls introduce. Second to this, and sometimes an equal requirement dependent on the organization, is to provide resilience and redundancy to minimize network downtime. Using any software-based solution brings with it the overheads associated with running an additional service on a device that is designed to provide network protection. To overcome this, content switch manufacturers have seen an opportunity to allow their switches to load balance these important devices. With content switches being session aware ”in other words, stateful ”they can begin to participate in the flow of traffic ensuring that sessions return via the same path that they entered the network. From a firewall standpoint, this is perfect, as they require a stateful session.

In addition to this, the content switch can also handle and direct a lot more traffic through multiple firewalls and ensure that only active firewalls are used. Likewise with a VPN device, the need to provide not only resilience but also throughput becomes paramount. We will discuss later in this chapter the intricacies involved when load-balancing sessions that often have their required data encrypted. Suffice to say at this stage that it is the intelligence of the content switch that enables VPN and firewall load balancing to be powerful and widely deployed content networking applications.